Archive

I am now calling the 0.2 version of the configuration registry released! The configuration registry is now almost completely useable. In this revision, I’ve implemented loading/storing to local browser storage ( ie a cookie ); as well, clearing and JSON serialization were implemented in this revision. The new features are backed up by rigorous ( more or less 🙂 ) unit tests.

The only thing left to implement is loading using xhr. Due to the lack of a good way to unit test xhr, I’ve been hesitant to start writing this feature in. Version 0.3 of this bug will include xhr loading.

Since only xhr loading is left, I plan to start working on other bugs/other projects for the 0.3 release.

I look forward to my code being reviewed. If you have the time, come over to the pull request thread and drop a word or two 🙂

It’s Wednesday, October 26, 2011. I’ve been on something of a hiatus for a week or two as I’ve been mostly preoccupied with EJB605. It’s time to get back to work on OSD and not just because 0.2 is due tomorrow. Luckily, my particular project involves a steady linear progression towards completion at some point. I imagine that 0.2 will be the last release that I do for the Configurator Registry.

With that in mind, let me take a minute to point out how awesome it has been to work on Paladin. Coming from a background with a lot of interest in game development as well as a sizeable amount of work invested in other game engines over the past 2 or 3 semesters, I found Paladin to be very nicely written. The organization and enthusiasm of its volunteers and project leads is quite refreshing. This is why I will be going back to Paladin to help them out whenever I can in the near future. However, for my 0.3 release, I thought that I would like to change course a little bit.

XSS Me is an explicitly open-source FF add-on that tests sites for XSS vulnerabilities. It is a tool used and loved by many web devs around the world to test their sites for XSS flaws. For the uninitiated, an XSS flaw ( Cross-Site Scripting, shortened to XSS ) is a type of security flaw that allows an attacker to execute arbitrary Javascript on a website by submitting specially crafted user-data to that site. This can be something like a Facebook post or a user blog on a blogging site. This is very dangerous on websites like Facebook that thrive on user-submitted data. The results of a successful XSS attack can be devastating considering that the browser of each user viewing the attacker-submitted data will be executing whatever Javascript the attacker desires.

XSS Me partially mitigates this threat by doing the attacker’s work for you, thereby giving a webdev some indication as to whether their website is vulnerable to XSS attacks. I had the chance to work on XSS Me when I worked for Security Compass ( also see SecCom Labs ) as a part of Seneca’s coop program. What makes XSS Me interesting is that it does its work fast, really fast. XSS Me will send many requests to a target website, encoding an XSS attack vector into each request; it will then analyze each response, scanning for evidence that the attack vector had caused the site to execute specific Javascript encoded in each attack vector. Since Javascript is single threaded, one would think that this process is quite slow once you factor in the hundreds of attack vectors that have to be sent to the site.

To achieve its speed however, XSS Me gets clever. Since XSS Me is an FF Add-on and not a web-page Javascript, it gets more privileges as it executes in the browser’s context. XSS Me leverages this power by opening up multiple tabs and executing Javascript code in each one. In this way, XSS Me fakes real threading into Javascript.

This mostly works. However, some nasty bugs have emerged from this construct that are difficult or impossible to diagnose; one heisen-bug in particular caused me much grief as I tried to squash it, failing time and time again despite numerous attempts. With the advent of HTML5 and web workers, I saw a chance to update the core threading component of XSS Me to utilize web workers. I find this to be an exciting opportunity because I like concurrency J

None of this is for certain as I still have to discuss this plan with Humph; should it pan out however, I think that it would be an exciting way to enter the world of HTML5 threading. As well, if anyone else is interested in working on XSS Me, there’s plenty of work to go around.

Just now, I’ve submitted my first github pull request for the Mozilla/Paladin initiative and already I made some mistakes! The workflow to submitting a pull request is clearly outlined in their workflow page (which I read ages ago and forgot about entirely :P).

Luckily, things are mostly OK but I should have done some make tests before throwing my branch into the fray. I am currently performing those tests post-request submit…

For the past little while, I’ve been working on a particular issue in Paladin’s issue tracking system. That issue proposes the creation of a configuration registry subsystem that will someday determine which Gladius subsystems execute and with which options.

At the moment, setting configuration options in Gladius is a bit of a mixed bag; this new subsystem should improve the state of things.

I took a break from writing/refining tests to write down my design ideas on the configuration registry. I’ve created a wiki page on my github gladius fork where my ideas have gone. If interested, please take a look and let me know what you think:

Trying to step along paladin’s unit test suite to get a handle on how the engine operates inside of firebug. Things are working out pretty alright when I don’t make the mistake of stepping into the line after the last line in the script because then… firefox crashes 😦

So far I’ve restarted firefox 3 times in the last ten minutes, I’m sure I’ll discover a workaround soon or just learn not to be stupid; anyone else have any similar experiences?

So I read about git and I deem git to be cool. I have prior experience with Mercurial and I’ve come to the conclusion that for all intents and purposes, git and Mercurial (hg) are roughly the same.

If you’ve never used a VCS before then git should be a pleasant learning experience. If however you’ve used something like SVN or Perforce for an extended period of time prior and have become very accustomed to the interface then git may be something of a shock for you.

In any case, try to use and enjoy it because it’s here to stay. A quick look at github’s user-base reveals a small army of over 1 million users (as of September 22, 2011). This user-base is reportedly rabid so if you don’t like git then git ready for a fight…